Didier Stevens

Friday 27 July 2012

My BlueHat Prize Entry: CounterHeapSpray

Filed under: My Software,Shellcode — Didier Stevens @ 10:24

Congratulations to the winners of the BlueHat Prize contest.

My entry was CounterHeapSpray:

CounterHeapSpray monitors the private memory usage of an application to guard against heap  sprays. When the private memory usage of the application exceeds a predefined threshold,  CounterHeapSpray assumes that a heap spray is ongoing and will pre-allocate virtual memory pages  and populate these pages with its own shellcode. When the heap spray terminates and the exploit  executes, code execution will transfer to CounterHeapSpray’s own shellcode. This shellcode will  suspend all threads and display a warning message for the user. When the user clicks OK,  CounterHeapSpray’s shellcode terminates the application.
By planting its own shellcode before the heap spray can fill the heap with malicious shellcode,  CounterHeapSpray not only prevents execution of this malicious shellcode but is able to suspend the process and to inform the user of the attack.

CounterHeapSpray.zip (https)
MD5: 1947380F935AE0B1A8828DE79621F82F
SHA256: CA0BF635655EE05ABED117C858BC86ECDF3EBB4C39544D7D0C396D7C457F1BBC


  1. Excllent idea.

    Comment by Steve — Tuesday 31 July 2012 @ 10:15

  2. What’s the difference between this one and HeapLocker? And, could any of these be used with EMET, and should I disable EMET’s heap spray protection for the processes I’m protecting?


    Comment by reco — Friday 10 August 2012 @ 17:40

  3. @reco First you’ve to know that I was not allowed to submit HeapLocket to the BlueHat Prize competition, because it had already released the source code. So I had to invent something new: CounterHeapSpray. I plan to integrate code from CounterHeapSpray back into HeapLocker.

    I’ve not tested CounterHeapSpray with EMET, but HeapLocker works fine with EMET. You can disable EMET’s heap spray protection to use HeapLocker’s heap spray protection.

    Comment by Didier Stevens — Monday 13 August 2012 @ 9:06

  4. This could potentially be used to bybpass ASLR. Spray the heap with lot of strings, wait for the Counter Heap spray to kick in and replace your strings with code that will terminate your thread. Read back your strings and potentially have information about module locations based on the shellcode put there by the Counter Heap Spray.

    Comment by Peter Vreugdenhil — Wednesday 15 August 2012 @ 16:43

  5. @Peter I think I know what you mean, but only if you are working with the assumption that CounterHeapSpray overwrites strings on the heap. I does not, if a page is already allocated, it will not touch it.

    Comment by Didier Stevens — Thursday 16 August 2012 @ 18:11

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.